PowerShell module for the OMS Search API

Update April 5th, 2016: This blog post is now superseded by this blog post

Update October 15th 2015: The OMS PowerShell module on Github are updated here to now support Azure resource groups, start/end date & time and will support using a service principal name (SPN).

In a previous blog post I described a scenario and use case for the Hybrid Runbook Worker for those without an easy way to upload to Azure Automation and leverage on-premises resources. Using the Hybrid Runbook Worker we leveraged the ARMclient to connect to the OMS Search API. In this blog post we'll leverage a PowerShell module you can upload to Azure Automation and use directly in your runbooks. The OMS module uses Azure Active Directory for authentication and authorization.

Note: The OMS Search API is not intended to bulk export OMS analytics data. It is intended to execute “short” queries with a scoped and limited time and date range

Download the PowerShell modules discussed in this blog post here. We will do the following in this blog post:

Create an Azure Active Directory User

Creating the necessary assets

For the two PowerShell modules we’ve imported in the previous steps, we need to make two connection objects. This will make our lives a lot easier in our runbooks. Navigate to Assets and click on Connections:

Click on Add a connection:

Create a new Connection of type AzureActiveDirectory . Since the fields for ClientID and Secret are mandatory (this will be fixed shortly) we need to fill in something here. Our runbook will not leverage these fields which are meant for applications. Fill in N/A for now:

Click on Save and create the second Connection of type OperationsManagementSuite :

Click on Save.

Create our OMS Search API Runbook

In my previous blog post I talked about monitoring a honeypot account. Let’s use the same scenario to create a runbook that checks for a failed honeypot account login on a specific server; this time leveraging our imported PowerShell modules.